CVE-2024-10833
Published: 20 March 2025
Summary
CVE-2024-10833 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Dbgpt Db-Gpt. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7080
Vulnerability details
eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledge' is susceptible to absolute path traversal, allowing attackers to write files to arbitrary locations on the target server. This…
more
vulnerability arises because the 'doc_file.filename' parameter is user-controllable, enabling the construction of absolute paths.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, gpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file writes via public-facing knowledge API, facilitating public-facing app exploitation (T1190), ingress tool/malware transfer (T1105), and web shell deployment (T1505.003).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.